How to renew an expired Certificate Authority (CA)

  • 7013047
  • 14-Aug-2013
  • 10-Sep-2013

Environment

NetIQ eDirectory
NetIQ iManager

Situation

How to rebuild, renew or recreate an expired Certificate Authority (CA)
Steps for rebuilding / renewing / recreating an expired CA

Resolution

Please follow these preliminary steps to validate the Certificate Authority (CA):
  1. iManager | Roles & Tasks | Novell Certificate Server | Configure Certificate Authority | Certificates | Select ALL certificates | Select Validate.
  2. If the Certificate status shows Invalid or Expired, then proceed with the following section to renew the CA.

Please follow the steps below to delete and re-create the Organizational Certificate Authority (CA) for the TREE.
Note: Deleting the Organizational CA object will not invalidate any certificates that have been signed by the Organizational CA, such as the Certificates (Key Material Objects) created for each of your servers. They will continue to function until they expire. However, you will not be able to install new servers into the tree or issue new certificates until you delete and create a new Certificate Authority. User certificates will be invalid due to an Invalid Signature and will need to be re-issued.

  1. Delete the Organizational CA object. Please select one of the following options using iManager:
    • Option A: iManager | Roles & Tasks | Directory Administration | Delete Object | Browse to and Select the CA object located in the Security container
    • Option B: iManager | Select View Objects (magnifying glass) | Select the Security Container | Check the CA object | Select Delete
  2. Create a new Organization CA object. Please select one of the following options:
    • Option A: Determine a Linux eDirectory server to host the Certificate Authority (CA)
      • In a terminal window on the eDirectory server, enter the following:
        ndsconfig upgrade -j
      • Provide the admin name with context[admin.org] and enter the password.
        Note: If there is no Organizational Certificate Authority (CA), one will be created.
    • Option B: Create a Certificate Authority (CA) using iManager:
      • iManager | Roles & Tasks | Novell Certificate Server | Configure Certificate Authority
      • Browse and select the server to host the new CA and provide a name for the object.
        Note: This can be any name, but was originally called <treename> CA by default
      • Select Next, Accept the Defaults, Finish.
  3. Using iManager, Browse to the Security container. The new Certificate Authority (CA) object should now exist.

Additional Information

If there are problems accessing iManager on the eDirectory servers, please consider the steps provided in TID 7013239 - How to configure Workstation iManager on a Windows desktop for certificate administration.